Share screen session with users in the same group (Linux)

Question

I can create a detached screen session using the following command:

[user1@host-pc ~]$ screen -d -m -S sname program

...and resume to it using this command:

[user1@host-pc ~]$ screen -r sname

Is there a way to let users that are in the same group as user1 access the session?

Edit: I've read the man page, and I know about the multiuser mode. I'm asking specifically about allowing to share screen sessions by user groups (/etc/group).

i.e. all users in group users are allowed to share session sname. Without manually acladd'ing each user to screen.

Answer 1

Yes, it is possible, but your screen should have suid bit on and this has some security implications. Basically you should do the following in order to be able to share a screen session:

chmod u+s /usr/bin/screen

Then as a user (let's suppose that its username is user1), you should run screen and run the following two commands in it:

<ctrl+a>:multiuser on
<ctrl+a>:acladd user2

Finally, user2 should be able to connect to the session with the following command:

screen -x user1/

You can find more information here.

Answer 2

You can enable multiuser mode either via .screenrc, or within the session by using Ctrl+a : with multiuser on. Access can then be controlled by adding individual users with acladd user2, or by re-creating group lists within screen acls (aclgrp).

I do not believe there is a way to directly use unix groups for screen multiuser ACLs.

See man screen or http://aperiodic.net/screen/multiuser

Answer 3

Hello from the year 2020! The answer still seems to be "no, you cannot (without scripting or source code modifications)."

I have a suspicion (but only), that this may be one of those circumstances where Expect—a surprisingly underappreciated Unix automation tool—may come in handy.

Screen, at least recent versions, has many built-in checks to prevent tampering with permissions on the sockets in /var/run/screen outside of its acladd and aclgrp facility.

If you try to make the permissions on /var/run/screen/S-username more permissive (to give another Unix group access), you will still get an error message like

Must run suid root for multiuser support.

if you attempt to screen -r username/ with an existing socket.

If you sudo chmod u+s /usr/bin/screen, you will get the error message

Directory /var/run/screen/S-username must have mode 700

if you have altered those permissions manually, which would seem to preclude using chmod or setfacl to set permissions on the socket at the filesystem level. If you've met Screen's expectations as far as filesystem permissions, but haven't explicitly added the user trying to access the socket to the access list with Ctrl+A :acladd, you get the error message

Access to session denied.

Offhand, I don't know of any easy solutions to your problem offered by tmux either, but wemux seems to be a popular wrapper for making multi-user shared sessions easier to work with, and might help you in achieving your goals.

Edit: This tidbit from aperiodic.net/screen/multiuser (Wayback capture) makes it seem like you could script the :acladd operations while iterating over the membership of a particular group from /etc/group by first transmitting the following escape sequence:

screen can allow programs to send commands to it via the escape sequence ESC ] 83 ; cmd ^G; in order for this to work, the pseudo-user :window: must exist and have the appropriate permissions to execute the supplied command.